There’s a good primer on CORS here on MDN. The most commonly used example is a bank website: if the user is logged into
mybank.com, and also visits your site
evil.com, any requests made by code running in the context of
mybank.com include the header
Origin: https://evil.com. The browser will make the request but won’t let the code have the response it gets back unless there is a response header
Access-Control-Allow-Origin: https://evil.com (or
*, but only if you’re not including credentials.)
Simon, I saw your other post, the problem is you’re trying to set a response header on your request. The point of CORS is that the server can declare (via the ACA-Origin header) when a resource is allowed to be accessed from a different origin. You don’t get to decide that as a client.
Both of you need to look at the service you’re requesting data from – sounds like that’s tile imagery? If the service is under your control, you can look for “CORS header (name of your web server software)” and find a guide for how to add static or dynamic CORS headers to outbound requests. If the service is not under your control, you’ll have to proxy requests through another server that you do control, which can either be in the same origin as where your site is hosted, or add ACA-Origin headers before forwarding the response.